This article builds on Article 1: Characteristics of Effective Security Governance and provides a comprehensive description of an enterprise security program (ESP). It highlights those aspects of an ESP that require governance action. The goal of this article is to enable the reader to understand what governance of security means, what it applies to, and how it is exercised.
To be successful, the program requires a security culture and the cooperation of the entire organization. This is achieved by establishing and reinforcing the security “tone” set at the top of the organization, reflected in top-level policies and an effective governance structure. This structure includes a cross-organizational security team, designated key personnel — such as the chief risk officer (CRO), chief security officer (CSO),1 general counsel (GC), chief information officer (CIO) and others — and the involvement of operational staff. Internal audit has an independent role in auditing the ESP's effectiveness in addressing organizational security risks.
An ESP consists of a series of activities that support an enterprise risk management plan (RMP) and result in the development and maintenance of
Figure 1 depicts the hierarchical relationship of these documents and activities.